What Is the AWS Encryption SDK?

The AWS Encryption SDK is an encryption library that helps make it easier for you
to implement
encryption best practices in your application. It enables you to focus on the core
functionality
of your application, rather than on how to best encrypt and decrypt your data.

The AWS Encryption SDK answers questions like the following for you:

Which encryption algorithm should I use?

How, or in which mode, should I use that algorithm?

How do I generate the encryption key?

How do I protect the encryption key, and where should I store it?

How can I make my encrypted data portable?

How do I ensure that the intended recipient can read my encrypted data?

How can I ensure my encrypted data is not modified between the time it is written
and
when it is read?

Without the AWS Encryption SDK, you might spend more effort on building an encryption
solution
than on the core functionality of your application. The AWS Encryption SDK answers
these questions
by providing the following things.

A Default Implementation that Adheres to Cryptography Best Practices

By default, the AWS Encryption SDK generates a unique data key for each data object
that
it encrypts. This follows the cryptography best practice of using unique data keys
for
each encryption operation.

The AWS Encryption SDK protects the data keys that encrypt your data by encrypting
them
under one or more master keys. By providing a framework to encrypt data keys with
more
than one master key, the AWS Encryption SDK helps make your encrypted data portable.

For example, you can encrypt data under multiple AWS Key Management Service (AWS KMS)
customer master
keys (CMKs), each in a different AWS Region. Then you can copy the encrypted data
to any
of the regions and use the CMK in that region to decrypt it. You can also encrypt
data
under a CMK in AWS KMS and a master key in an on-premises HSM, enabling you to later
decrypt
the data even if one of the options is unavailable.

A Formatted Message that Stores Encrypted Data Keys with the Encrypted Data

The AWS Encryption SDK stores the encrypted data and encrypted data key together in
an
encrypted message that uses a defined data format. This
means you don't need to keep track of or protect the data keys that encrypt your data
because the AWS Encryption SDK does it for you.

With the AWS Encryption SDK, you define a master key
provider that returns one or more master keys. Then you
encrypt and decrypt your data using straightforward methods provided by the AWS Encryption
SDK. The
AWS Encryption SDK does the rest.

Where to find more information

If you're looking for more information about the AWS Encryption SDK and client-side
encryption, try these sources.

If you have questions or comments about this guide, let us know! Choose the feedback
link in the lower-right
corner of the page or the GitHub link in the upper-right corner of the page. You can
also file
an issue in the aws-encryption-sdk-docs GitHub repository for this guide.

The AWS Encryption SDK is provided free of charge under the Apache license.

Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's
Help pages for instructions.